Mailing List del Fortunae LUG ============================= Soluzione trovata, vi inoltro un post trovato in un forum che mi ha risolto: Hello, Common configuration problem. The problem is basically that when you send a request to your www it is "redirected" to your internal machine, 192.168.1.2. Then when 192.168.1.2 wants to reply it sees that the requesting machine, 192.168.1.3, is on the same subnet so it replies directly. As a result the Synch numbers don't match up, and when a reply is sent back to the requesting machine(192.168.1.3) it immediately sends a reset to 192.168.1.2 to try and resynch the connection. Check out tcpdump to see this. The packet needs to pass back through the firewall in order to make this work properly. Here's an example: ## DNAT ## /usr/local/bin/iptables -t nat -A PREROUTING -i eth0 -p tcp \ -s 192.168.1.0/24 -d 1.2.3.4 --dport 80 \ -j DNAT --to 192.168.1.2:80 ## SNAT ## /usr/local/bin/iptables -t nat -A POSTROUTING -o eth0 -p tcp \ -s 192.168.1.0/24 -d 192.168.1.2 --dport 80 \ -j SNAT --to 192.168.1.1 So, basically, we're changing both source and destination IP addresses under only specific circumstances. As far as 192.168.1.2 is concerned, it's talking to the firewall throughout the whole transfer. This, uh, works. Some wierdnesses have popped up with this config. If at all possible, throw another NIC in the box and put the web server on a DMZ, on another subnet. May save some headaches -Obsid http://www.sentry.net/~obsid/ Semplice no? Saluti e baci, Sco -- "Una Slackware e' per sempre ..."